DefenseClaw is Cisco's open-source agent governance framework that scans skills, Model Context Protocol (MCP) servers, plugins, and agent-generated code before and during execution. Announced at RSA Conference 2026 on March 23 alongside AI Defense Explorer Edition, it bundles an MCP Scanner, Skills Scanner, AI Bill of Materials (AI BoM) generator, and CodeGuard static analysis into one admission gate that integrates with NVIDIA OpenShell for runtime sandboxing. For security engineers evaluating AI agent security tools, DefenseClaw addresses the gap between the 85% of enterprises experimenting with agents and the 5% that have moved them to production.

The durable shift underneath the launch is supply-chain scanning, not another prompt-injection checklist. When 1,184 malicious skills can land on a marketplace and 492 MCP servers run without authentication, pre-deployment inventory and continuous rescanning matter as much as jailbreak testing.

Key takeaways:

  • Cisco shipped DefenseClaw at RSA 2026 with five scanners (skills, MCP, A2A, CodeGuard, AI BoM) plus Splunk-ready telemetry.
  • AI Defense Explorer Edition adds self-serve red teaming with GitHub Actions, GitLab, and Jenkins CI/CD hooks.
  • DefenseClaw enforces block/allow lists in under two seconds and pairs with NVIDIA OpenShell for sandbox isolation.
  • Agent security in 2026 is a supply-chain problem first; MCP servers and skill registries are the new npm attack surface.
  • Wasm sandboxes complement scanners but do not replace inventory and admission control.

What Cisco shipped at RSA 2026

At RSA Conference 2026 in San Francisco, Cisco announced a full agent-security stack anchored on three pillars: protecting the world from agents, protecting agents from the world, and detecting AI incidents at machine speed. (Source: Cisco Newsroom)

DefenseClaw is the open-source piece. It consolidates Skills Scanner, MCP Scanner, AI BoM, and CodeGuard into a single framework that automates scanning, sandboxing, and inventory so developers skip manual security steps. Cisco plans direct integration with NVIDIA OpenShell as the runtime sandbox. (Source: Cisco Newsroom)

AI Defense Explorer Edition democratizes red teaming. Built on the same validation engine used by Global 2000 customers, it offers dynamic multi-turn adversarial testing, prompt-injection and jailbreak resistance checks, exportable security reports, and API-first access for GitHub Actions, GitLab, Jenkins, and custom pipelines. (Source: Cisco Newsroom)

The adoption numbers frame why these tools exist. In a recent Cisco survey of major enterprise customers, 85% reported experimenting with AI agents, but only 5% had moved agentic technology into production. (Source: Cisco Newsroom)

Jeetu Patel, President and Chief Product Officer at Cisco, framed the stakes: "AI agents aren't just making existing work faster; they're a new workforce of co-workers that dramatically expand what organizations can accomplish." Security teams, he argued, are the key to making that workforce trustworthy. (Source: Cisco Newsroom)

DefenseClaw became available on GitHub at github.com/cisco-ai-defense/defenseclaw on March 27, 2026. (Source: Cisco DefenseClaw Blog)

Why agent security moved from prompt injection to supply-chain scanning

Model Context Protocol (MCP) is an open standard, released by Anthropic in late 2024, that defines how AI models connect to external tools, data sources, and services. Microsoft, OpenAI, Google, Amazon, GitHub Copilot, VS Code, and Cursor all support it. The protocol was built for capability first; authentication, authorization, and sandboxing were left to implementers, and many skipped all three during the AI rush. (Source: CyberDesserts)

The 2026 incident record makes the pattern visible. Antiy CERT confirmed 1,184 malicious skills across ClawHub, OpenClaw's official marketplace. Trend Micro found 492 MCP servers exposed to the internet with zero authentication. BlueRock Security reported 36.7% of analyzed MCP servers were potentially vulnerable to server-side request forgery. (Source: CyberDesserts)

Security researcher Simon Willison named the architectural flaw the lethal trifecta: an agent with access to private data, that processes untrusted content, and can communicate externally is exploitable by design. Most deployed MCP agents have all three because that combination is what makes them useful. (Source: CyberDesserts)

OWASP's Top 10 for Agentic Applications 2026 classifies goal hijack as ASI01 and supply-chain compromise through skills or registry packages as ASI04. Cisco's own State of AI Security 2026 found only 29% of organizations reported being prepared to secure agentic deployments. (Sources: CyberDesserts, Cisco via CyberDesserts)

For a breach-level view of how these failures compound, see our coverage of three real agent security incidents in 2026.

How DefenseClaw's five scanners work as an admission gate

DefenseClaw is an operational governance layer, not a passive scanner dashboard. Cisco describes three core functions: scan everything before it runs, detect threats at runtime, and enforce block/allow lists with non-advisory consequences. (Source: Cisco DefenseClaw Blog)

The scan engine includes five tools: skill-scanner, mcp-scanner, a2a-scanner, CodeGuard static analysis, and an AI BoM generator. When you install a skill, plugin, or MCP server through the DefenseClaw CLI, it scans first, checks block/allow lists, generates a manifest, and only then installs. Nothing bypasses the admission gate. (Source: Cisco DefenseClaw Blog)

Runtime monitoring closes the gap that install-time scanning alone cannot cover. A skill clean on Tuesday can start exfiltrating data on Thursday. DefenseClaw's content scanner inspects every message flowing in and out of the agent at the execution loop itself, checking for injection attacks, data exfiltration, and command-and-control patterns. (Source: Cisco DefenseClaw Live Blog)

Enforcement is immediate. When you block a skill, its sandbox permissions are revoked, files are quarantined, and the agent receives an error on invocation. When you block an MCP server, the endpoint is removed from the sandbox network allow-list and OpenShell denies connections. Cisco claims this happens in under two seconds with no restart required. (Source: Cisco DefenseClaw Blog)

The architecture pairs a Python operator CLI (defenseclaw) with a Go gateway sidecar that enforces policy on live tool_call and tool_result traffic, backed by OPA/Rego admission rules and SQLite audit trails. (Source: Cisco AI Defense Docs)

"DefenseClaw is the operational governance layer that was missing from the stack. NVIDIA provided the sandbox foundation with OpenShell. The Cisco AI Defense team open sourced the scanners. DefenseClaw brings them together into one governed loop."

Operator note (first-hand): The public repo at github.com/cisco-ai-defense/defenseclaw lists scanner surfaces for skills (cisco-ai-skill-scanner), MCP servers (cisco-ai-mcp-scanner), plugins, CodeGuard, and guardrail proxy rules under policies/guardrail/default/rules/. The documented install path starts with defenseclaw setup skill-scanner followed by defenseclaw mcp scan <url> before admitting any MCP endpoint. Treat that two-step sequence as the minimum reproducible gate for any OpenClaw deployment audit.

AI BoM and MCP inventory for agentic workloads

An AI Bill of Materials (AI BoM) works like a software bill of materials (SBOM) but inventories AI-specific assets: which agents run, which skills they load, which MCP servers they connect to, and which models they call. DefenseClaw generates and continuously updates this inventory as agents evolve, giving security teams a live auditable record rather than a one-time snapshot. (Source: Cisco Newsroom)

Every DefenseClaw deployment streams structured events to Splunk by default: scan findings, block/allow decisions, prompt-response pairs, tool calls, policy enforcement actions, and alerts. The goal is zero-to-governed-agent in under five minutes with observability baked in from first boot. (Source: Cisco DefenseClaw Blog)

For teams already instrumenting MCP gateways, our CSA write-up on MCP RCE reality and STDIO config execution risk explain why inventory without runtime policy still leaves blind spots.

DefenseClaw vs manual MCP audits vs Wasm sandboxes

Not every control layer solves the same failure mode. Scanners catch malicious skills and misconfigured MCP endpoints before admission. Sandboxes constrain what a compromised agent can reach at runtime. Manual audits work for small fleets but do not scale when skill registries update daily.

Control layerPrimary jobBest forLimitation
DefenseClaw scanners + gatewayPre-install scan, runtime inspection, AI BoM, Splunk auditOpenClaw and agent runtimes with MCP toolchainsRequires CLI/gateway deployment; expanding to Claude Code and Codex
Manual MCP endpoint auditFind exposed /mcp and /sse bindings, rotate credsIncident response and baseline discoveryNo continuous drift detection
WebAssembly sandbox (e.g., Boxer)Isolate untrusted agent-generated code without shared kernelCode execution boundaries, edge deploymentDoes not inventory MCP servers or scan skill registries

Dan Phillips, systems engineer and founder of WebAssembly Chicago, argued at Wasm I/O 2026 that WebAssembly offers isolation without a shared kernel: "Instead of starting from the kernel or containers, you start with nothing and then add from there. This makes certain exploits unavailable by construction." The open-source Boxer project converts Dockerfiles to universally runnable Wasm distributions so developers avoid rewrites. (Source: The New Stack)

Wasm and DefenseClaw are complementary. Wasm shrinks the execution blast radius; DefenseClaw answers which tools and skills are allowed in the first place and logs every decision for the SOC.

How to adopt DefenseClaw in a DevSecOps pipeline

Decision rule: If agents can install skills or MCP servers without a security gate, treat that path like unreviewed npm install in production and block it at the CI/CD layer first.

A practical rollout sequence:

  1. Baseline inventory: Run MCP endpoint discovery across your environment and map agent config paths (.mcp.json, ~/.openclaw/credentials/) to owners.
  2. Admission gate: Wire defenseclaw mcp scan and skill-scanner into install scripts so no capability enters without a manifest.
  3. CI/CD red team: Add AI Defense Explorer Edition to GitHub Actions or Jenkins to test models and agent apps for jailbreaks before merge.
  4. Runtime enforcement: Deploy the gateway sidecar with block/allow lists and Splunk forwarding before granting production tool access.
  5. Sandbox pairing: Layer NVIDIA OpenShell policies for network deny-by-default on top of scanner verdicts.

AI Defense Explorer Edition's API-first design targets exactly this pipeline: developers and AppSec teams invite teammates, export compliance-ready reports, and upgrade to Enterprise RBAC when role separation is required. (Source: Cisco Newsroom)

Teams running OpenClaw on Windows should read our Scout and OpenClaw agent OS coverage for how host-level agent platforms change the threat model DefenseClaw assumes.

FAQ

What is Cisco DefenseClaw?

DefenseClaw is Cisco's open-source security governance framework for agentic AI runtimes, especially OpenClaw. It scans skills, MCP servers, plugins, and generated code before execution, monitors runtime traffic for injection and exfiltration, enforces block/allow policies, and exports audit telemetry to Splunk. Cisco announced it at RSA Conference 2026 and published it on GitHub March 27, 2026. (Source: Cisco Newsroom)

What tools does DefenseClaw include?

The framework bundles five scanners: skill-scanner, mcp-scanner, a2a-scanner, CodeGuard static analysis, and an AI BoM generator. A Go gateway sidecar enforces policy on live tool calls, and a guardrail proxy can front upstream LLMs. Native support for Claude Code, OpenCode, ZeroClaw, and Codex is listed as coming soon. (Sources: Cisco DefenseClaw Blog, Cisco AI Defense Docs)

How does DefenseClaw scan MCP servers?

The defenseclaw mcp scan <url> command probes MCP endpoints before admission. Verdicts feed block/allow lists; blocked servers are removed from the sandbox network allow-list with OpenShell denying connections in under two seconds. Continuous directory watchers rescan manually added plugins and skills. (Source: Cisco DefenseClaw Blog)

What is an AI Bill of Materials for agents?

An AI BoM inventories every AI asset in an environment: running agents, attached skills, connected MCP servers, and underlying models. DefenseClaw generates and updates this inventory automatically as agents change, similar to how SBOMs track traditional software dependencies. (Source: Cisco Newsroom)

How does DefenseClaw integrate with NVIDIA OpenShell?

Cisco integrates DefenseClaw with NVIDIA OpenShell, which provides kernel-level sandboxing, deny-by-default network access, YAML policy enforcement, and a privacy router for sensitive data. DefenseClaw handles scanning, admission, and audit; OpenShell constrains what admitted capabilities can do at runtime. (Sources: Cisco Newsroom, Cisco DefenseClaw Blog)

Can DefenseClaw run in CI/CD pipelines?

Yes. Cisco AI Defense Explorer Edition offers API-first access for GitHub Actions, GitLab, Jenkins, and custom pipelines, enabling automated red teaming and security reporting before agents reach production. DefenseClaw's CLI scanners can gate skill and MCP installs in build scripts. (Source: Cisco Newsroom)

Related coverage

References